【华为WLAN】WLAN网络,AC旁挂直接转发基本配置。

时间  2021-01-19
标签 安全 网络 ide 测试 编码 加密 spa 3d code 栏目 系统网络 繁體版
原文   原文链接

实验拓扑安全

wKiom1eEpMOAVJeeAAB8vA1HYqc096.png

拓扑说明网络

AP1的业务VLAN101ide

AP2的业务VLAN102测试

AP的管理VLAN100ui

业务地址池和管理地址池统一在AC上配置编码

业务地址网关在路由器上加密

AP1属于域1AP2属于域2spa

转发模式采用直接转发3d

VLAN101的地址为:192.168.10.0/24gateway192.168.10.1code

VLAN102的地址为:192.168.20.0/24gateway192.168.20.1

VLAN100的地址为:192.168.1.1/24

AP1SSID为:huawei-1,密码:Admin@123

AP2SSID为:huawei-2,密码:Admin@123



 

SW1配置

[SW1]vlanbatch 100 to 102

[SW1]interface g0/0/1

[SW1-GigabitEthernet0/0/1]port link-type trunk

[SW1-GigabitEthernet0/0/1]port trunk allow-pass vlan 100 101

//配置TRUNK容许VLAN100VLAN101,用户VLAN101AC下发,管理VLAN100

[SW1-GigabitEthernet0/0/1]port trunk pvid vlan 100

//将连AP的接口PVID改成100

[SW1-GigabitEthernet0/0/1]int g0/0/2

[SW1-GigabitEthernet0/0/2]port link-type trunk

[SW1-GigabitEthernet0/0/2]port trunk allow-pass vlan 100 102

[SW1-GigabitEthernet0/0/2]port trunk pvid vlan 100

[SW1-GigabitEthernet0/0/2]intg0/0/4

[SW1-GigabitEthernet0/0/4]port link-type trunk

[SW1-GigabitEthernet0/0/4]port trunk allow-pass vlan 101 102

//上行口作中继透传VLAN

[SW1-GigabitEthernet0/0/4]int g0/0/3

[SW1-GigabitEthernet0/0/3]port link-type trunk

[SW1-GigabitEthernet0/0/3]port trunk allow-pass vlan 100 to 102

//透传全部用户VLAN和管理VLAN

 

 

R1配置

[R1]int g0/0/0.10

[R1-GigabitEthernet0/0/0.10]dot

[R1-GigabitEthernet0/0/0.10]dot1q termination vid 101

[R1-GigabitEthernet0/0/0.10]a b e

[R1-GigabitEthernet0/0/0.10]ip add 192.168.10.1 24

[R1-GigabitEthernet0/0/0.10]int g0/0/0.20

[R1-GigabitEthernet0/0/0.20]dot1q termination vid 102

[R1-GigabitEthernet0/0/0.20]a b e

[R1-GigabitEthernet0/0/0.20]ip add 192.168.20.1 24

 

 

AC配置

[AC6605]vlan batch 100 to 102     //建立VLAN

[AC6605]dhcp enable                   //开启DHCP功能

[AC6605]ip pool 101                //建立一个名称为101的地址池

[AC6605-ip-pool-101]network 192.168.10.0 mask 24   //网络号

[AC6605-ip-pool-101]gateway-list 192.168.10.1     //网关

[AC6605-ip-pool-101]dns-list 8.8.8.8                //dns

[AC6605-ip-pool-101]quit

[AC6605]ip pool 102

[AC6605-ip-pool-102]network 192.168.20.0 mask 24

[AC6605-ip-pool-102]gateway-list 192.168.20.1

[AC6605-ip-pool-102]dns-list 8.8.8.8

[AC6605-ip-pool-102]quit

[AC6605]int g0/0/1

[AC6605-GigabitEthernet0/0/1]port trunk allow-pass vlan 100 to 102

[AC6605-GigabitEthernet0/0/1]quit

//物理接口作中继透传用户VLAN和管理VLAN

[AC6605]int vlan 100

[AC6605-Vlanif100]ip add 192.168.1.1 24

[AC6605-Vlanif100]dhcp select interface     //配置IP地址和基于接口的DHCP功能

[AC6605-Vlanif100]int vlan 101

[AC6605-Vlanif101]ip add192.168.10.2 24

[AC6605-Vlanif101]dhcp select global   //配置IP地址和基于全局地址池的DHCP功能

[AC6605-Vlanif101]int vlan 102

[AC6605-Vlanif102]ip add 192.168.20.2 24

[AC6605-Vlanif102]dhcp select global

[AC6605-Vlanif102]quit

[AC6605]wlan ac-global ac id 1 carrier idother

//配置ACID和运营商的标识符

[AC6605]wlan ac-global country-code CN      //配置国家编码

[AC6605]wlan                //进入WLAN视图

[AC6605-wlan-view]wlan ac source interface Vlanif 100

//配置WAPCAP的隧道源接口,也就是管理VLAN

[AC6605-wlan-view]ap-region id 1      //建立一个域ID1

[AC6605-wlan-ap-region-1]quit

[AC6605-wlan-view]ap-region id 2      

[AC6605-wlan-ap-region-2]quit

[AC6605-wlan-view]ap-profile id 1 name 1     //建立一个AP模板

[AC6605-wlan-ap-prof-1]quit

[AC6605-wlan-view]ap-profile id2 name 2

[AC6605-wlan-ap-prof-2]quit

[AC6605-wlan-view]ap id 1 type-id 19 mac00e0-fc20-71e0

[AC6605-wlan-ap-1]ap id 2 type-id 19 mac00e0-fc6f-60f0

//注册APID分别为12,基于MAC地址注册,type-id 能够经过display ap-type all来查询

[AC6605-wlan-ap-2]ap id 1       //进入ID1AP视图

[AC6605-wlan-ap-1]region-id 1    //关联到域1

[AC6605-wlan-ap-1]ap id 2           

[AC6605-wlan-ap-2]region-id 2

[AC6605-wlan-ap-2]quit

[AC6605-wlan-view]ap-auth-mode mac-auth          //配置AP注册到AC的验证方式为MAC地址认证

[AC6605-wlan-view]ap-whitelist mac 00e0-fc20-71e0

[AC6605-wlan-view]ap-whitelist mac00e0-fc6f-60f0

//配置白名单

[AC6605-wlan-view]security-profile id 1 name security-1

[AC6605-wlan-sec-prof-security-1]security-policy wpa 2

[AC6605-wlan-sec-prof-security-1]wpa2 authentication-method psk pass-phrase cipher Admin@123 encryption-method ccmp

//建立一个安全策略模板,并配置加密方式为wpa2 SSID接入密码

[AC6605-wlan-sec-prof-security-1]quit

[AC6605-wlan-view]wmm-profileid 1 name wmm-1    //配置WMM模板,用来配置QOS

[AC6605-wlan-wmm-prof-wmm-1]quit

[AC6605-wlan-view]wmm-profileid 2 name wmm-2

[AC6605-wlan-wmm-prof-wmm-2]quit

[AC6605-wlan-view]radio-profileid 1 name radio-1   //建立一个射频模板

[AC6605-wlan-radio-prof-radio-1]wmm-profileid 1        //关联WMM模板

[AC6605-wlan-radio-prof-radio-1]quit

[AC6605-wlan-view]radio-profileid 2 name radio-2

[AC6605-wlan-radio-prof-radio-2]wmm-profileid 2

[AC6605-wlan-radio-prof-radio-2]quit

[AC6605-wlan-view]traffic-profileid 1 name traffic-1    //建立一个流模板,用于QOS

[AC6605-wlan-traffic-prof-traffic-1]quit

[AC6605-wlan-view]traffic-profileid 2 name traffic-2

[AC6605-wlan-traffic-prof-traffic-2]quit

[AC6605-wlan-view]quit

[AC6605]interface Wlan-Ess 1               //建立一个wlan虚拟接口

[AC6605-Wlan-Ess1]port hybridpvid vlan 101

[AC6605-Wlan-Ess1]port hybriduntagged vlan 101    //将此接口以hybrid方式加入到vlan 101

[AC6605-Wlan-Ess1]quit

[AC6605]interface Wlan-Ess 2

[AC6605-Wlan-Ess2]port hybrid pvid vlan 102

[AC6605-Wlan-Ess2]port hybrid untagged vlan 102

[AC6605-Wlan-Ess2]quit

[AC6605]wlan

[AC6605-wlan-view]service-setid 1 name huawei-1     //建立一个服务集

[AC6605-wlan-service-set-huawei-1]ssidhuawei-1     //配置SSID

[AC6605-wlan-service-set-huawei-1]service-vlan 101     //配置服务VLAN

[AC6605-wlan-service-set-huawei-1]traffic-profileid 1    //关联流模板

[AC6605-wlan-service-set-huawei-1]security-profileid 1    //关联安全模板

[AC6605-wlan-service-set-huawei-1]forward-mode direct-forward  //配置转发方式为直接转发

[AC6605-wlan-service-set-huawei-1]wlan-ess 1      //绑定到wlan接口 

[AC6605-wlan-service-set-huawei-1]quit

[AC6605-wlan-view]service-setid 2 name huawei-2

[AC6605-wlan-service-set-huawei-2]ssid huawei-2

[AC6605-wlan-service-set-huawei-2]service-vlan 102

[AC6605-wlan-service-set-huawei-2]wlan-ess 2

[AC6605-wlan-service-set-huawei-2]forward-mode direct-forward

[AC6605-wlan-service-set-huawei-2]security-profileid 1

[AC6605-wlan-service-set-huawei-2]traffic-profileid 2

[AC6605-wlan-service-set-huawei-2]quit

[AC6605-wlan-view]ap 1 radio 0         //进入AP 1的射频视图,0表示2.4G,若是是1表示5G

[AC6605-wlan-radio-1/0]radio-profile id 1      //关联射频模板

[AC6605-wlan-radio-1/0]service-set id 1       //关联服务集

[AC6605-wlan-radio-1/0]quit

[AC6605-wlan-view]ap 2 radio 0

[AC6605-wlan-radio-2/0]radio-profile id 2

[AC6605-wlan-radio-2/0]service-set id 2

[AC6605-wlan-radio-2/0]quit

[AC6605-wlan-view]commit ap 1               //将配置提交给AP

[AC6605-wlan-view]commit all                 //将配置提交给全部AP


wKioL1eEpQjSejugAAFIk3ezseE748.png

查看STA1SSID信息并链接密码为以前设置的Admin@123

wKiom1eEpVyDcqxDAACZOnN4d-k413.png

查看STA1IP地址获取状况

wKiom1eEpYTiaAqSAAC7zqYqnkg958.png

测试STA1连通性

wKiom1eEqDmQbriWAAEGQQNUM4A508.png

查看STA2SSID信息并链接密码为以前设置的Admin@123

wKiom1eEqG2h_utDAACZ4R1ogbY966.png

查看STA  2IP地址获取状况

wKioL1eEqK_SpvY3AAC8F0KAwJc972.png

测试STA2的连通性

wKiom1eEqMzwZxnmAAC7XcJSw94721.png

能够使用display ap all命令在AC上查看AP注册状态

wKiom1eEqTuSITgJAACQWSOuhE0613.png

相关文章
相关标签/搜索
每日一句
    每一个你不满意的现在,都有一个你没有努力的曾经。
本站公众号
   欢迎关注本站公众号,获取更多信息
联系我们 最近搜索 最新文章 沪ICP备13005482号-10 MyBatis教程 SQL 教程 MySQL教程 Java 教程 Thymeleaf 教程 Hibernate教程 Spring教程 Redis教程